Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#2506 closed task (fixed)

mailman: unsolicited mass subscription attempts

Reported by: neteler Owned by: sac@…
Priority: blocker Milestone: Sysadmin Contract 2020-II
Component: SysAdmin Keywords: Mailing Lists
Cc: bjorn

Description

This case https://lists.osgeo.org/pipermail/geoforall/2020-August/005734.html

and many comments to me as a list admin let me investigate the case of apparent mass subscription attempts: many users to many OSGeo lists.

What I found out by analysing the mailman subscription logs:

This IP 198.46.202.103

nslookup 198.46.202.103
...
Non-authoritative answer:
103.202.46.198.in-addr.arpa	name = 198-46-202-103-host.colocrossing.com.

tried to subscribe > 2831 (!) different email addresses to 286 OSGeo lists:

# how many different email addresses:
grep 198.46.202.103 subscribe* | cut -d' ' -f8 | sort -u | wc -l
2831

# how many OSGeo lists used
grep 198.46.202.103 subscribe* | cut -d' ' -f6 | sort -u | wc -l
286

Hence, we see a new quality of spammers being active here who try to subscribe email addresses they apparently have harvested somewhere to our mailman server, like trying to subscribe one email to many OSGeo lists. Normally nothing happens (that's why I don't understand yet the spammer's interest in this) unless the email owner actually accepts the confirmation email.

Question: can we block these attacks?

Maybe related to #2475

Change History (10)

comment:1 by neteler, 4 years ago

Found some hints:

Seems we need (if we don't have yet) to activate some SUBSCRIBE_FORM_SECRET secret.

Anyone?

comment:2 by cvvergara, 4 years ago

I found this solution https://www.ralfj.de/blog/2018/06/10/mailman-subscription-spam-continued.html

at the bottom it mentions:

Update: With Mailman 2.1.30, this patch is now included upstream. The CAPTCHAS format is slightly different than above to support multiple languages; consult the Mailman documentation for further details. /Update

and we have 2.1.20

Will go verify that 2.1.30 does have the capthca

comment:3 by strk, 4 years ago

Cc: bjorn added

Mass unsubscription also happened in postgis-devel. 7 people were unsubscribed.

comment:4 by neteler, 4 years ago

Let's pls update mailman.

comment:5 by strk, 4 years ago

Sorry, I see this ticket is about mass _subscription_, not unsubscription. We probably need another ticket for unsubscription. Martin: SUBSCRIBE_FORM_SECRET is set already (since 2016)

comment:6 by strk, 4 years ago

Mailman upgrade ticket is #2174 -- neteler your input is going to be useful there

comment:7 by strk, 4 years ago

Milestone: UnplannedSysadmin Contract 2020-II

comment:8 by strk, 4 years ago

We are at 2.1.34 now, what's left to do for this ticket ?

comment:9 by strk, 4 years ago

Resolution: fixed
Status: newclosed

Assuming closed by upgrade. Feel free to reopen if this is not the case.

comment:10 by neteler, 4 years ago

I just checked

/var/log/mailman/subscribe.*

and no longer see undesired mass-subscription attempts.

Note: See TracTickets for help on using tickets.